CVE-2025-68112

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system. A SQL injection flaw exists in the Event Attendee Editor. This allows authenticated users to execute arbitrary SQL commands, potentially leading to complete database compromise, administrative credential theft, and system takeover. Attackers could extract sensitive member data, authentication credentials, and financial information. The vulnerable component is the Event Attendee Editor. SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

Recommendations Upgrade to version 6.5.3 to address this issue.